From: guido@trentalancia.net (Guido Trentalancia) Date: Thu, 20 Apr 2017 03:08:02 +0200 (CEST) Subject: [refpolicy] [PATCH 25/34] samba: curb on userdom permissions Message-ID: <1554246805.164533.1492650482207@pim.register.it> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com This patch curbs on userdomain file read and/or write permissions for the samba module. It aims to ensure user data confidentiality. Signed-off-by: Guido Trentalancia --- policy/modules/contrib/samba.te | 21 +++++++++++++++------ 1 file changed, 15 insertions(+), 6 deletions(-) --- refpolicy-2.20170204-orig/policy/modules/contrib/samba.te 2017-02-04 19:30:44.000000000 +0100 +++ refpolicy-2.20170204/policy/modules/contrib/samba.te 2017-04-20 00:43:43.177442179 +0200 @@ -427,6 +427,9 @@ tunable_policy(`samba_enable_home_dirs', userdom_manage_user_home_content_symlinks(smbd_t) userdom_manage_user_home_content_sockets(smbd_t) userdom_manage_user_home_content_pipes(smbd_t) +',` + userdom_dontaudit_manage_user_home_content_dirs(smbd_t) + userdom_dontaudit_manage_user_home_content_files(smbd_t) ') tunable_policy(`samba_portmapper',` @@ -933,12 +936,18 @@ miscfiles_read_localization(winbind_t) miscfiles_read_generic_certs(winbind_t) userdom_dontaudit_use_unpriv_user_fds(winbind_t) -userdom_manage_user_home_content_dirs(winbind_t) -userdom_manage_user_home_content_files(winbind_t) -userdom_manage_user_home_content_symlinks(winbind_t) -userdom_manage_user_home_content_pipes(winbind_t) -userdom_manage_user_home_content_sockets(winbind_t) -userdom_user_home_dir_filetrans_user_home_content(winbind_t, { dir file lnk_file fifo_file sock_file }) + +tunable_policy(`samba_enable_home_dirs',` + userdom_manage_user_home_content_dirs(winbind_t) + userdom_manage_user_home_content_files(winbind_t) + userdom_manage_user_home_content_pipes(winbind_t) + userdom_manage_user_home_content_sockets(winbind_t) + userdom_manage_user_home_content_symlinks(winbind_t) + userdom_user_home_dir_filetrans_user_home_content(winbind_t, { dir file lnk_file fifo_file sock_file }) +',` + userdom_dontaudit_manage_user_home_content_dirs(winbind_t) + userdom_dontaudit_manage_user_home_content_files(winbind_t) +') optional_policy(` ctdbd_stream_connect(winbind_t)